Security Rule Safeguards – Administrative

Administrative safeguards must be adopted by business associates to protect PHI, and include:

  • Security Management Process – Implement a plan and continually evaluate
  • Security Officer – Designate someone to implement/oversee security policies
  • Workforce Security – Plan for granting varying levels of access to PHI
  • Contingency Plan – Plan for responding to emergencies and natural disasters
  • Business Associate Agreements – Contracts between covered entities and business associates that protect PHI
  • Security Incident Procedures – Security incident response/reporting system
  • Termination Procedures – Prevent terminated employees from having access

Actionable Takeaways:

  • Access PHI only when necessary to perform job duties
  • Verify receipt of PHI once properly transmitted
  • Abide by all security policies and procedures
  • Appropriately report all security incidents
  • Destroy any physical (paper) PHI once it is no longer needed
  • Before disclosing PHI, ensure the recipient is authorized and there is a BAA